ServerUbuntu

Auto Renew LetsEncrypt SSL Certs the ‘Dumb Way’

Over 40 million websites use LetsEncrypt SSL Certs already. Undoubtedly, it has been a great relief for DevOps and site owners to have a little security for their users for free in the form of HTTPS.

Having to go into manually update the 3-month expiry certificates LetsEncrypt generates for you each time can be boring and annoying, especially if you’re managing many domains.

I’m currently manage 5 domains SSL with LetsEncrypt.

Automating the process of renewal when certificates are already generated is priceless, and so, for a second, let’s all wear the ‘Dumb’ DevOps hat, and save our souls with scripts that get the job done for us.

Autorenewals

This article assumes these steps have been taken care off already:

  • Server is Ubuntu 16.04 LTS
  • Server is using Nginx
  • LetsEncrypt is installed
  • Certificate for domains is already generatedStandalone approach and activated accordingly and appropriately to work with Nginx.

With the above in mind, we want to have this happening:

  • Run a script which will attempt to autorenew certificates every week. I chose Sundays at 00:00 GMT

I chose the that time because it is within a timeslot where my server generally receives the least t none traffic

To keep running a script each week, we turn to Cron!

This Cron task would do the job:

$ sudo crontab -e

# Run renewal script weekly at 00:00 GMT on Sundays
# If something goes wrong, email me!
0 0 * * 0 /opt/renew-ssl >> /path/to/mylogs/le-renew.log && curl -sm 30 k.wdt.io/myemail@gmail.com/<cronjob-name>?c=0_0_*_*_0

Our /opt/renew-ssl script will then look like this:

#!/bin/sh

service nginx stop
sleep 5s
letsencrypt renew
service nginx start

Does it work? Yes.

Is it the most fanciful? No

We sleep 5 seconds to give ample time for the Nginx service to stop. We don’t want a situation where Nginx doesn’t finish shutting down but LetsEncrypt kicks in.

Sleeping 5 seconds is like 450 years in computer’s view of time, which is more than necessary to ensure Nginx is fully stopped

Since I use the standalone approach, to renew certificates, port 80/443 must be available for LetsEncrypt to do its thing. Thus, we stop Nginx.

We wait 5 seconds, then issue the obvious command.

Nginx is then started again.

Done.

Does it run?

To check if the script runs, after the 00:00 on Sundays, go check the /path/to/mylogs/le-renew.log file for the latest timestamp of which the file was modified. If it matches a 00:00 GMT, then be happy.

Duh! You could simply open the le-renew.log file to inspect the contents of logs.

Conclusion

Until LetsEncrypt entered, getting SSL Certs for websites didn’t come this easy.

Big thanks to LetsEncrypt for making the web a little safer to browse. Now you can browse your HTTPS-enabled websites, such as Khophi.co and all our client and personal projects, knowing your communication is to a great extent, secured and safe!

Happy browsing!

Related Articles

Back to top button